What is a Domain Name System?
Domain Name System (DNS) is a system for computers and services connected to the Internet that resolves domain names to IP addresses. It converts human-readable domain names (www.dnsfilter.com) into Internet Protocol (IP) addresses (126.96.36.199). This is because computers can only communicate using a series of numbers, so DNS was developed as a sort of “phonebook” that translates the domain you enter in your browser into a computer-readable IP.
How does DNS Work?
We already know that DNS maps IP addresses to domain names, but where is this information stored? These are stored on something called nameservers. Nameservers store DNS records which is the actual file that says “this domain” maps to “this IP address.” This being said it is not as simple as there being one room that has all the nameservers and DNS records in one spot. Instead, it is distributed all over the world and stored in something called root servers. Instead of these root servers storing every domain name ever, they store the locations of the Top Level Domains (TLDs) where these domain names are located.
These TLDs would be two or three-character extensions like ".com," ".org," or for different countries like ".ca." Each TLD has its own set of nameservers that store the information of who is authoritative for storing the DNS records for that domain. The authoritative nameserver is typically the DNS provider or the DNS registrar (like GoDaddy, which offers both DNS registration and hosting). And here, we can find the DNS record that maps example.com to the IP address 127.66.122.88.
How can I secure my DNS?
The biggest question raised by DNS-over-HTTPS is how it will affect companies that have their own DNS security, such as DNSFilter. There are two steps you can take to ensure that DoH does not interfere with your filtering policies:
You can prevent your browser from circumventing your policies by restricting DNS resolution to only DNSFilter. This is best done at the firewall level by blocking DoH addresses. This ensures that your DNSFilter policies will always remain in effect. For complete directions, check out our help article on preventing circumvention. DNSFilter helps to maintain a community list of DoH servers so that system administrators can restrict access.
You can set up DNS-over-TLS as a full-featured alternative. DNSFilter fully supports DNS-over-TLS using our Roaming Clients or DNS Relay. DNS-over-TLS is more comprehensive than DoH because it encrypts all DNS traffic on your machine (rather than only web browser traffic). For this reason, it is DNSFilter’s preferred security method.
What is DNS-over-HTTPS?
DNS-over-HTTPS (DoH) is a DNS encryption method that works over HTTPS. It is also an alternative to the encryption method DNS-over-TLS.
New technology always brings unknown factors. Over the past year, leading web browsers began implementing a new internet protocol called DNS-over-HTTPS. DoH is a method for performing Domain Name System (DNS) resolution using the HTTPS Protocol.
This represents a significant change in how browser vendors envision the future of DNS. Traditionally, DNS lookups have always taken place by the Operating System of the device. By using HTTPS, browser vendors are shifting this responsibility onto themselves.
What is DNS-over-TLS
DNS-over-TLS (DoT), released in 2016, is the first DNS encryption solution to be established.
DoT channels the original client requests through a secure TLS channel on port 853 instead of the common port 53 used for unencrypted DNS communication. This prevents attackers from seeing or manipulating information about the DNS request.
Once an authenticated handshake is made and a secure channel is established with the DNS resolver, the DNS client and resolver can start exchanging messages over a secure channel. The secure connection created is mostly persisted for other DNS requests that the client will need to make during that session.
(You can find more info about how DNS-over-TLS works with our Roaming Clients here.)
What are the differences between DoT and DoH?
|Port||Opens a new port (853) for creating a secure connection for encrypted communication.||Reuses the HTTPS port 443 for encrypted communication.|
|OSI Layer of operation||Encrypted communication takes place at the Transport Layer (layer 4) of the OSI model.||Encrypted communication takes place at the Application Layer (layer 7) of the OSI model.|
|Operating System / Application Coverage||It is either supported natively or can be configured for various operating systems (macOS, Windows, and Linux). Once in place, it encrypts DNS communication for any application that uses DNS on the operating system.||Needs to be configured for each application/client that needs to use it (e.g. browsers like Firefox, Google Chrome, Opera, etc.)|
|Packet Size||Because it operates at a lower level, its packet sizes are light.||Packet sizes are larger than DoT because it operates at the Application layer (two layers above DoT).|
|Latency||Minimal latency in DNS requests.||Higher latency compared to DoT.|